ContentSecurityPolicy
in package
Provides tools for working with the Content-Security-Policy header to help defeat XSS attacks.
Tags
Table of Contents
Properties
- $autoNonce : bool
- Replace nonce tag automatically
- $baseURI : array<string|int, mixed>|string
- Used for security enforcement
- $childSrc : array<string|int, mixed>|string
- Used for security enforcement
- $connectSrc : array<string|int, mixed>
- Used for security enforcement
- $CSPEnabled : bool
- Whether Content Security Policy is being enforced.
- $defaultSrc : array<string|int, mixed>|string
- Used for security enforcement
- $directives : array<string, string>
- CSP directives
- $fontSrc : array<string|int, mixed>|string
- Used for security enforcement
- $formAction : array<string|int, mixed>|string
- Used for security enforcement
- $frameAncestors : array<string|int, mixed>|string
- Used for security enforcement
- $frameSrc : array<string|int, mixed>|string
- Used for security enforcement
- $imageSrc : array<string|int, mixed>|string
- Used for security enforcement
- $manifestSrc : array<string|int, mixed>|string
- Used for security enforcement
- $mediaSrc : array<string|int, mixed>|string
- Used for security enforcement
- $nonces : array<string|int, mixed>
- Used for security enforcement
- $objectSrc : array<string|int, mixed>|string
- Used for security enforcement
- $pluginTypes : array<string|int, mixed>|string
- Used for security enforcement
- $reportOnly : bool
- Used for security enforcement
- $reportOnlyHeaders : array<string|int, mixed>
- An array of header info to build that should only be reported.
- $reportURI : string|null
- A set of endpoints to which csp violation reports will be sent when particular behaviors are prevented.
- $sandbox : array<string|int, mixed>|string
- Used for security enforcement
- $scriptNonce : string
- Nonce for script
- $scriptNonceTag : string
- Nonce tag for script
- $scriptSrc : array<string|int, mixed>|string
- Used for security enforcement
- $styleNonce : string
- Nonce for style
- $styleNonceTag : string
- Nonce tag for style
- $styleSrc : array<string|int, mixed>|string
- Used for security enforcement
- $tempHeaders : array<string|int, mixed>
- An array of header info since we have to build ourselves before passing to Response.
- $upgradeInsecureRequests : bool
- Used for security enforcement
- $validSources : array<int, string>
- Used for security enforcement
Methods
- __construct() : mixed
- Constructor.
- addBaseURI() : $this
- Adds a new baseURI value. Can be either a URI class or a simple string.
- addChildSrc() : $this
- Adds a new valid endpoint for a form's action. Can be either a URI class or a simple string.
- addConnectSrc() : $this
- Adds a new valid endpoint for a form's action. Can be either a URI class or a simple string.
- addFontSrc() : $this
- Adds a new valid endpoint for a form's action. Can be either a URI class or a simple string.
- addFormAction() : $this
- Adds a new valid endpoint for a form's action. Can be either a URI class or a simple string.
- addFrameAncestor() : $this
- Adds a new resource that should allow embedding the resource using <frame>, <iframe>, <object>, <embed>, or <applet>
- addFrameSrc() : $this
- Adds a new valid endpoint for valid frame sources. Can be either a URI class or a simple string.
- addImageSrc() : $this
- Adds a new valid endpoint for valid image sources. Can be either a URI class or a simple string.
- addManifestSrc() : $this
- Adds a new valid endpoint for manifest sources. Can be either a URI class or simple string.
- addMediaSrc() : $this
- Adds a new valid endpoint for valid video and audio. Can be either a URI class or a simple string.
- addObjectSrc() : $this
- Adds a new valid endpoint for Flash and other plugin sources. Can be either a URI class or a simple string.
- addPluginType() : $this
- Limits the types of plugins that can be used. Can be either a URI class or a simple string.
- addSandbox() : $this
- specifies an HTML sandbox policy that the user agent applies to the protected resource.
- addScriptSrc() : $this
- Adds a new valid endpoint for javascript file sources. Can be either a URI class or a simple string.
- addStyleSrc() : $this
- Adds a new valid endpoint for CSS file sources. Can be either a URI class or a simple string.
- clearDirective() : void
- Clear the directive.
- enabled() : bool
- Whether Content Security Policy is being enforced.
- finalize() : void
- Compiles and sets the appropriate headers in the request.
- getScriptNonce() : string
- Get the nonce for the script tag.
- getStyleNonce() : string
- Get the nonce for the style tag.
- reportOnly() : $this
- If TRUE, nothing will be restricted. Instead all violations will be reported to the reportURI for monitoring. This is useful when you are just starting to implement the policy, and will help determine what errors need to be addressed before you turn on all filtering.
- setDefaultSrc() : $this
- Adds a new valid endpoint for a form's action. Can be either a URI class or a simple string.
- setReportURI() : $this
- Specifies a URL where a browser will send reports when a content security policy is violated. Can be either a URI class or a simple string.
- upgradeInsecureRequests() : $this
- Sets whether the user agents should rewrite URL schemes, changing HTTP to HTTPS.
- addOption() : void
- DRY method to add an string or array to a class property.
- addToHeader() : void
- Adds a directive and it's options to the appropriate header. The $values array might have options that are geared toward either the regular or the reportOnly header, since it's viable to have both simultaneously.
- buildHeaders() : void
- Based on the current state of the elements, will add the appropriate Content-Security-Policy and Content-Security-Policy-Report-Only headers with their values to the response object.
- generateNonces() : void
- Scans the body of the request message and replaces any nonce placeholders with actual nonces, that we'll then add to our headers.
Properties
$autoNonce
Replace nonce tag automatically
protected
bool
$autoNonce
= true
$baseURI
Used for security enforcement
protected
array<string|int, mixed>|string
$baseURI
= []
$childSrc
Used for security enforcement
protected
array<string|int, mixed>|string
$childSrc
= []
$connectSrc
Used for security enforcement
protected
array<string|int, mixed>
$connectSrc
= []
$CSPEnabled
Whether Content Security Policy is being enforced.
protected
bool
$CSPEnabled
= false
$defaultSrc
Used for security enforcement
protected
array<string|int, mixed>|string
$defaultSrc
= []
$directives
CSP directives
protected
array<string, string>
$directives
= ['base-uri' => 'baseURI', 'child-src' => 'childSrc', 'connect-src' => 'connectSrc', 'default-src' => 'defaultSrc', 'font-src' => 'fontSrc', 'form-action' => 'formAction', 'frame-ancestors' => 'frameAncestors', 'frame-src' => 'frameSrc', 'img-src' => 'imageSrc', 'media-src' => 'mediaSrc', 'object-src' => 'objectSrc', 'plugin-types' => 'pluginTypes', 'script-src' => 'scriptSrc', 'style-src' => 'styleSrc', 'manifest-src' => 'manifestSrc', 'sandbox' => 'sandbox', 'report-uri' => 'reportURI']
[name => property]
$fontSrc
Used for security enforcement
protected
array<string|int, mixed>|string
$fontSrc
= []
$formAction
Used for security enforcement
protected
array<string|int, mixed>|string
$formAction
= []
$frameAncestors
Used for security enforcement
protected
array<string|int, mixed>|string
$frameAncestors
= []
$frameSrc
Used for security enforcement
protected
array<string|int, mixed>|string
$frameSrc
= []
$imageSrc
Used for security enforcement
protected
array<string|int, mixed>|string
$imageSrc
= []
$manifestSrc
Used for security enforcement
protected
array<string|int, mixed>|string
$manifestSrc
= []
$mediaSrc
Used for security enforcement
protected
array<string|int, mixed>|string
$mediaSrc
= []
$nonces
Used for security enforcement
protected
array<string|int, mixed>
$nonces
= []
$objectSrc
Used for security enforcement
protected
array<string|int, mixed>|string
$objectSrc
= []
$pluginTypes
Used for security enforcement
protected
array<string|int, mixed>|string
$pluginTypes
= []
$reportOnly
Used for security enforcement
protected
bool
$reportOnly
= false
$reportOnlyHeaders
An array of header info to build that should only be reported.
protected
array<string|int, mixed>
$reportOnlyHeaders
= []
$reportURI
A set of endpoints to which csp violation reports will be sent when particular behaviors are prevented.
protected
string|null
$reportURI
$sandbox
Used for security enforcement
protected
array<string|int, mixed>|string
$sandbox
= []
$scriptNonce
Nonce for script
protected
string
$scriptNonce
$scriptNonceTag
Nonce tag for script
protected
string
$scriptNonceTag
= '{csp-script-nonce}'
$scriptSrc
Used for security enforcement
protected
array<string|int, mixed>|string
$scriptSrc
= []
$styleNonce
Nonce for style
protected
string
$styleNonce
$styleNonceTag
Nonce tag for style
protected
string
$styleNonceTag
= '{csp-style-nonce}'
$styleSrc
Used for security enforcement
protected
array<string|int, mixed>|string
$styleSrc
= []
$tempHeaders
An array of header info since we have to build ourselves before passing to Response.
protected
array<string|int, mixed>
$tempHeaders
= []
$upgradeInsecureRequests
Used for security enforcement
protected
bool
$upgradeInsecureRequests
= false
$validSources
Used for security enforcement
protected
array<int, string>
$validSources
= ['self', 'none', 'unsafe-inline', 'unsafe-eval']
Methods
__construct()
Constructor.
public
__construct(ContentSecurityPolicy $config) : mixed
Stores our default values from the Config file.
Parameters
- $config : ContentSecurityPolicy
addBaseURI()
Adds a new baseURI value. Can be either a URI class or a simple string.
public
addBaseURI(array<string|int, mixed>|string $uri[, bool|null $explicitReporting = null ]) : $this
baseURI restricts the URLs that can appear in a page's
Parameters
- $uri : array<string|int, mixed>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddChildSrc()
Adds a new valid endpoint for a form's action. Can be either a URI class or a simple string.
public
addChildSrc(array<string|int, mixed>|string $uri[, bool|null $explicitReporting = null ]) : $this
child-src lists the URLs for workers and embedded frame contents. For example: child-src https://youtube.com would enable embedding videos from YouTube but not from other origins.
Parameters
- $uri : array<string|int, mixed>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddConnectSrc()
Adds a new valid endpoint for a form's action. Can be either a URI class or a simple string.
public
addConnectSrc(array<string|int, mixed>|string $uri[, bool|null $explicitReporting = null ]) : $this
connect-src limits the origins to which you can connect (via XHR, WebSockets, and EventSource).
Parameters
- $uri : array<string|int, mixed>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddFontSrc()
Adds a new valid endpoint for a form's action. Can be either a URI class or a simple string.
public
addFontSrc(array<string|int, mixed>|string $uri[, bool|null $explicitReporting = null ]) : $this
font-src specifies the origins that can serve web fonts.
Parameters
- $uri : array<string|int, mixed>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddFormAction()
Adds a new valid endpoint for a form's action. Can be either a URI class or a simple string.
public
addFormAction(array<string|int, mixed>|string $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : array<string|int, mixed>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddFrameAncestor()
Adds a new resource that should allow embedding the resource using <frame>, <iframe>, <object>, <embed>, or <applet>
public
addFrameAncestor(array<string|int, mixed>|string $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : array<string|int, mixed>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddFrameSrc()
Adds a new valid endpoint for valid frame sources. Can be either a URI class or a simple string.
public
addFrameSrc(array<string|int, mixed>|string $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : array<string|int, mixed>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddImageSrc()
Adds a new valid endpoint for valid image sources. Can be either a URI class or a simple string.
public
addImageSrc(array<string|int, mixed>|string $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : array<string|int, mixed>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddManifestSrc()
Adds a new valid endpoint for manifest sources. Can be either a URI class or simple string.
public
addManifestSrc(array<string|int, mixed>|string $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : array<string|int, mixed>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddMediaSrc()
Adds a new valid endpoint for valid video and audio. Can be either a URI class or a simple string.
public
addMediaSrc(array<string|int, mixed>|string $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : array<string|int, mixed>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddObjectSrc()
Adds a new valid endpoint for Flash and other plugin sources. Can be either a URI class or a simple string.
public
addObjectSrc(array<string|int, mixed>|string $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : array<string|int, mixed>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddPluginType()
Limits the types of plugins that can be used. Can be either a URI class or a simple string.
public
addPluginType(array<string|int, mixed>|string $mime[, bool|null $explicitReporting = null ]) : $this
Parameters
- $mime : array<string|int, mixed>|string
-
One or more plugin mime types, separate by spaces
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddSandbox()
specifies an HTML sandbox policy that the user agent applies to the protected resource.
public
addSandbox(array<string|int, mixed>|string $flags[, bool|null $explicitReporting = null ]) : $this
Parameters
- $flags : array<string|int, mixed>|string
-
An array of sandbox flags that can be added to the directive.
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddScriptSrc()
Adds a new valid endpoint for javascript file sources. Can be either a URI class or a simple string.
public
addScriptSrc(array<string|int, mixed>|string $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : array<string|int, mixed>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddStyleSrc()
Adds a new valid endpoint for CSS file sources. Can be either a URI class or a simple string.
public
addStyleSrc(array<string|int, mixed>|string $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : array<string|int, mixed>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisclearDirective()
Clear the directive.
public
clearDirective(string $directive) : void
Parameters
- $directive : string
-
CSP directive
enabled()
Whether Content Security Policy is being enforced.
public
enabled() : bool
Return values
boolfinalize()
Compiles and sets the appropriate headers in the request.
public
finalize(ResponseInterface $response) : void
Should be called just prior to sending the response to the user agent.
Parameters
- $response : ResponseInterface
getScriptNonce()
Get the nonce for the script tag.
public
getScriptNonce() : string
Return values
stringgetStyleNonce()
Get the nonce for the style tag.
public
getStyleNonce() : string
Return values
stringreportOnly()
If TRUE, nothing will be restricted. Instead all violations will be reported to the reportURI for monitoring. This is useful when you are just starting to implement the policy, and will help determine what errors need to be addressed before you turn on all filtering.
public
reportOnly([bool $value = true ]) : $this
Parameters
- $value : bool = true
Return values
$thissetDefaultSrc()
Adds a new valid endpoint for a form's action. Can be either a URI class or a simple string.
public
setDefaultSrc(array<string|int, mixed>|string $uri[, bool|null $explicitReporting = null ]) : $this
default_src is the URI that is used for many of the settings when no other source has been set.
Parameters
- $uri : array<string|int, mixed>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thissetReportURI()
Specifies a URL where a browser will send reports when a content security policy is violated. Can be either a URI class or a simple string.
public
setReportURI(string $uri) : $this
Parameters
- $uri : string
-
URL to send reports. Set
''if you want to remove this directive at runtime.
Tags
Return values
$thisupgradeInsecureRequests()
Sets whether the user agents should rewrite URL schemes, changing HTTP to HTTPS.
public
upgradeInsecureRequests([bool $value = true ]) : $this
Parameters
- $value : bool = true
Return values
$thisaddOption()
DRY method to add an string or array to a class property.
protected
addOption(array<int, string>|string $options, string $target[, bool|null $explicitReporting = null ]) : void
Parameters
- $options : array<int, string>|string
- $target : string
- $explicitReporting : bool|null = null
addToHeader()
Adds a directive and it's options to the appropriate header. The $values array might have options that are geared toward either the regular or the reportOnly header, since it's viable to have both simultaneously.
protected
addToHeader(string $name[, array<string|int, mixed>|string|null $values = null ]) : void
Parameters
- $name : string
- $values : array<string|int, mixed>|string|null = null
buildHeaders()
Based on the current state of the elements, will add the appropriate Content-Security-Policy and Content-Security-Policy-Report-Only headers with their values to the response object.
protected
buildHeaders(ResponseInterface $response) : void
Parameters
- $response : ResponseInterface
generateNonces()
Scans the body of the request message and replaces any nonce placeholders with actual nonces, that we'll then add to our headers.
protected
generateNonces(ResponseInterface $response) : void
Parameters
- $response : ResponseInterface